Bug 961803 (CVE-2013-2071) - CVE-2013-2071 tomcat: Information disclosure in asynchronous context when using AsyncListeners that threw RuntimeExceptions
Summary: CVE-2013-2071 tomcat: Information disclosure in asynchronous context when usi...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2013-2071
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=low,public=20130510,reported=2...
Depends On: 961806 962270
Blocks: 959037 961808
TreeView+ depends on / blocked
 
Reported: 2013-05-10 12:34 UTC by Jan Lieskovsky
Modified: 2019-06-08 19:34 UTC (History)
9 users (show)

Fixed In Version: Apache Tomcat 7.0.40
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-07-03 18:08:06 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2013:1011 normal SHIPPED_LIVE Moderate: Red Hat JBoss Web Server 2.0.1 update 2013-07-03 19:47:30 UTC
Red Hat Product Errata RHSA-2013:1012 normal SHIPPED_LIVE Moderate: Red Hat JBoss Web Server 2.0.1 update 2013-07-03 19:47:16 UTC
Red Hat Product Errata RHSA-2013:1013 normal SHIPPED_LIVE Moderate: Red Hat JBoss Web Server 2.0.1 update 2013-07-03 20:18:21 UTC

Description Jan Lieskovsky 2013-05-10 12:34:51 UTC
An information disclosure flaw was found in the way asynchronous context implementation of Apache Tomcat, an Apache Servlet/JSP Engine, performed request information management in certain circumstances (formerly certain elements of a previous request might have been exposed to the current request). If an application used AsyncListeners that threw RuntimeExceptions, a remote attacker could use this flaw to possibly obtain sensitive information.

Upstream bug report:
https://issues.apache.org/bugzilla/show_bug.cgi?id=54178

Relevant upstream patch (including testcase):
http://svn.apache.org/viewvc?view=rev&rev=1471372

Comment 1 Jan Lieskovsky 2013-05-10 13:02:20 UTC
This issue affects the versions of the tomcat package, as shipped with Fedora release of 17 and 18. Please schedule an update.

--

This issue did NOT affect the versions of the tomcat6 packages, as shipped with Fedora release of 17 and 18 (as those versions did not contain the vulnerable code part yet).

Comment 2 Jan Lieskovsky 2013-05-10 13:02:53 UTC
Created tomcat tracking bugs for this issue

Affects: fedora-all [bug 961806]

Comment 3 David Jorm 2013-05-13 04:26:35 UTC
Statement:

This flaw only affects tomcat 7. Tomcat 5 and 6 are not affected. The jbossweb servlet container is also not affected.

Comment 5 errata-xmlrpc 2013-07-03 15:49:59 UTC
This issue has been addressed in following products:

  JBEWS 2 for RHEL 6

Via RHSA-2013:1012 https://rhn.redhat.com/errata/RHSA-2013-1012.html

Comment 6 errata-xmlrpc 2013-07-03 15:51:51 UTC
This issue has been addressed in following products:

  JBEWS 2 for RHEL 5

Via RHSA-2013:1011 https://rhn.redhat.com/errata/RHSA-2013-1011.html

Comment 7 errata-xmlrpc 2013-07-03 16:22:56 UTC
This issue has been addressed in following products:

  Red Hat JBoss Web Server 2.0.1

Via RHSA-2013:1013 https://rhn.redhat.com/errata/RHSA-2013-1013.html


Note You need to log in before you can comment on or make changes to this bug.